From 8ba1c356d02a4b570df9df421813e1d5b0f57344 Mon Sep 17 00:00:00 2001
From: Flavien Darche <flavien.darche@datadoghq.com>
Date: Fri, 27 Dec 2024 14:15:43 +0100
Subject: [PATCH] Add Envoy doc

---
 config/_default/params.yaml                   |   1 +
 .../threats/setup/threat_detection/envoy.md   | 113 ++++++++++++++++++
 .../security-platform/appsec-languages.html   |   7 ++
 3 files changed, 121 insertions(+)
 create mode 100644 content/en/security/application_security/threats/setup/threat_detection/envoy.md

diff --git a/config/_default/params.yaml b/config/_default/params.yaml
index 96a821301ac4d..9e43d43ee6b88 100644
--- a/config/_default/params.yaml
+++ b/config/_default/params.yaml
@@ -122,6 +122,7 @@ code_language_ids:
     otel: "OpenTelemetry API"
     status_legacy: "Status Page (Legacy)"
     status_page: "Status Page"
+    envoy: "Envoy"
 branch: ""
 
 signupclass: sign-up-trigger
diff --git a/content/en/security/application_security/threats/setup/threat_detection/envoy.md b/content/en/security/application_security/threats/setup/threat_detection/envoy.md
new file mode 100644
index 0000000000000..51a3e355c3279
--- /dev/null
+++ b/content/en/security/application_security/threats/setup/threat_detection/envoy.md
@@ -0,0 +1,113 @@
+---
+title: Enabling ASM for Envoy
+code_lang: envoy
+type: multi-code-lang
+code_lang_weight: 50
+aliases:
+  - /security_platform/application_security/getting_started/envoy
+  - /security/application_security/getting_started/envoy
+  - /security/application_security/enabling/tracing_libraries/threat_detection/envoy/
+further_reading:
+    - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions'
+      tag: "Source Code"
+      text: "Envoy integration's source code"
+    - link: "/security/default_rules/?category=cat-application-security"
+      tag: "Documentation"
+      text: "OOTB Application Security Management Rules"
+    - link: "/security/application_security/troubleshooting"
+      tag: "Documentation"
+      text: "Troubleshooting Application Security Management"
+---
+
+You can monitor application security for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking.
+
+## Prerequisites
+
+- The [Datadog Agent][1] is installed and configured for your application's operating system or container, cloud, or virtual environment.
+- [Configure the Agent with Remote Configuration][2] to be able to block attackers from the Datadog UI.
+
+## Enabling threat detection
+### Get started
+
+The ASM Envoy integration is using the External Processing filter of Envoy.
+
+1. **Configure Envoy** to use the [External Processing filter][3].
+For example:
+  ```yaml
+  http_filters:
+    # ... other filters
+    - name: envoy.filters.http.ext_proc
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
+        config:
+          grpc_service:
+            envoy_grpc:
+              cluster_name: datadog_ext_proc_cluster
+              timeout: 1s
+
+  clusters:
+      # ... other clusters
+      - name: datadog_ext_proc_cluster
+        type: STRICT_DNS
+        lb_policy: ROUND_ROBIN
+        http2_protocol_options: {}
+        transport_socket:
+          name: envoy.transport_sockets.tls
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        load_assignment:
+          cluster_name: datadog_ext_proc_cluster
+          endpoints:
+            - lb_endpoints:
+                - endpoint:
+                    address:
+                      socket_address:
+                        address: Your Datadog image host from step 2
+                        port_value: 443
+  ```
+
+  **Note**: you need to replace `Your Datadog image host from step 2` with the host where the Datadog Envoy docker image is running.
+
+  You can find more configuration options available in the [Envoy External Processor documentation][4].
+
+2. **Spin up a new container with the Datadog Envoy docker image.** The image is available on the [Datadog Go tracer GitHub Registry][5].
+
+  **Note**: Envoy integration is done using the [Datadog Go Tracer][6], the image is tagged with the same version as the tracer. The docker image is updated in the same release process as the tracer.
+
+  The docker image expose some configuration specifically for the Envoy integration:
+  | Environment variable                   | Default value   | Description                                                       |
+  |----------------------------------------|-----------------|-------------------------------------------------------------------|
+  | `DD_SERVICE_EXTENSION_HOST`            | `0.0.0.0`       | gRPC server listening address.                                    |
+  | `DD_SERVICE_EXTENSION_PORT`            | `443`           | gRPC server port.                                                 |
+  | `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT`| `80`            | HTTP server port for health checks.                               |
+
+  As the integration is using the Datadog Go Tracer, it inherits all environment variables from the tracer. You can find more information in [Configuring the Go Tracing Library][7] and [ASM Library Configuration][8].
+
+  The Datadog Agent needs to be configured to receive traces from the integration:
+  | Environment variable                   | Default value | Description                                                           |
+  |----------------------------------------|---------------|-----------------------------------------------------------------------|
+  | `DD_AGENT_HOST`                        | `localhost`   | Hostname where your Datadog Agent is running.                         |
+  | `DD_TRACE_AGENT_PORT`                  | `8126`        | Port of the Datadog Agent for trace collection.                       |
+
+{{% appsec-getstarted-2-plusrisk %}}
+
+{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}}
+
+## Limitations
+
+As of version `1.71.0` the available functionality has the following important limitations:
+
+* The request body is not inspected, regardless of its content type.
+
+## Further Reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: https://app.datadoghq.com/account/settings#agent
+[2]: https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration
+[3]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter
+[4]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto#extensions-filters-http-ext-proc-v3-externalprocessor
+[5]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout
+[6]: https://github.com/DataDog/dd-trace-go
+[7]: https://docs.datadoghq.com/tracing/trace_collection/library_config/go/
+[8]: https://docs.datadoghq.com/security/application_security/threats/library_configuration/
diff --git a/layouts/partials/security-platform/appsec-languages.html b/layouts/partials/security-platform/appsec-languages.html
index aa9d43a075fb6..ea0df37eae186 100644
--- a/layouts/partials/security-platform/appsec-languages.html
+++ b/layouts/partials/security-platform/appsec-languages.html
@@ -58,6 +58,13 @@
           </div>
         </a>
       </div>
+      <div class="col">
+        <a class="card h-100" href="envoy">
+          <div class="card-body text-center py-2 px-1">
+            {{ partial "img.html" (dict "root" . "src" "integrations_logos/envoy.png" "class" "img-fluid" "alt" "nginx" "width" "400") }}
+          </div>
+        </a>
+      </div>
       </div>
     </div>
   </div>